Indian hacking gang goes on three-year Chinese phishing trip

Gang has cunning way of hiding itself by using multiple names

Suspected hackers based in India have compromised thousands of computers, going about their business as far back as 2013.

The group has been rumbled by three security firms over that time, but was until now considered to be several discrete entities.

Now Forcepoint researchers Andy Settle, Nicholas Griffin, and Abel Toro say the Monsoon group, dubbed previously as Patchwork APT, Dropping Elephant, and Operation Hangover, has used spear phishing emails to effectively target organisations with infected Word macros that drop trojans.

Whatever the group is called, it has exploited vulnerabilities (CVE-2012-0158, CVE-2014-6352, and CVE-2015-1641) to infect more than 6300 users across 110 countries. Two of those could enable remote code execution.

The dodgy malware dealer used command and control infrastructure built using RSS feeds and even GitHub accounts and pinched malicious code from other hacking operations.

Forcepoint built on work by Cymmetria, Kaspersky, and 2013 work by BlueCoat, the latter of which revealed the group's exploitation of a then Microsoft Office zero day.

The new research is a comprehensive 57-page examination [PDF] of the group's hacking activities and tactics, techniques, and procedures including various operations and the malware used in each.

The team focussed on an ongoing campaign to target Chinese nationals that began in December 2015 .

"The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia," the research trio say.

"Among the evidence gathered during the Monsoon investigation were a number of indicators which make it highly probable that this adversary and the Operation Hangover adversary are one and the same.

"These indicator include the use of the same infrastructure for the attacks, similar tactics techniques, and procedures, the targeting of demographically similar victims and operating geographically within the Indian Subcontinent."

Monsoon's phishing efforts are mostly politically charged topical news events that hide weaponised payloads. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021